b'                                    Executive Summary\n\n\n                                    Independent Evaluation of the FDIC\xe2\x80\x99s\n                                    Information Security Program\xe2\x80\x942010\n                                                                                          Report No. AUD-11-001\n                                                                                                 November 2010\n\nWhy We Did The Audit\nThe Federal Information Security Management Act of 2002 (FISMA) requires federal agencies, including\nthe FDIC, to have an annual independent evaluation by agency Inspectors General of their information\nsecurity program and practices and to report the results of the evaluation to the Office of Management and\nBudget (OMB). The FDIC Office of Inspector General (OIG) contracted with KPMG LLP (KPMG) to\nperform an audit to fulfill the requirements for the 2010 independent evaluation. The objective of the\naudit was to evaluate the effectiveness of the FDIC\xe2\x80\x99s information security program and practices,\nincluding the FDIC\xe2\x80\x99s compliance with FISMA and related information security policies, procedures,\nstandards, and guidelines. KPMG reviewed a sample of information systems, including three designated\nby the FDIC as major applications.\n\nWe will separately issue our responses to specific questions raised by OMB in its April 21, 2010\nmemorandum, FY 2010 Reporting Instructions for the Federal Information Security Management Act and\nAgency Privacy Management through the OMB automated collection tool. Our responses to the OMB\nquestions, together with this report, satisfy our 2010 FISMA reporting requirements.\n\n\nBackground\nKey to achieving the FDIC\xe2\x80\x99s mission of maintaining stability and public confidence in the nation\xe2\x80\x99s\nfinancial system is safeguarding the information the FDIC collects and manages in its roles as federal\ndeposit insurer of banks and savings associations and as receiver for failed institutions. Ensuring the\nconfidentiality, integrity, and availability of this information in an environment of increasingly\nsophisticated security threats requires a strong, enterprise-wide information security program.\n\nFISMA directs the National Institute of Standards and Technology (NIST) to develop information\nsecurity standards and guidelines. NIST has published Federal Information Processing Standards and\nSpecial Publications to fulfill this requirement. The NIST documentation includes risk management\nguidelines that provide a flexible framework for ensuring the adequacy and effectiveness of information\nsecurity controls over information resources that support federal operations and assets. The standards and\nguidelines published by NIST are not legally binding on the FDIC, but the FDIC\xe2\x80\x99s policy is to voluntarily\ncomply with those standards.\n\n\nAudit Results\nKPMG concluded that the FDIC information security program had a risk management framework that\ngenerally meets FISMA requirements and NIST security guidance. KPMG also concluded that the\neffectiveness of certain internal control activities within five of the seven phases of the risk management\nframework needed improvement.\n\nKPMG determined that internal controls related to the phases Creating and Maintaining an Inventory and\nSelecting Security Requirements complied with the risk management framework described in NIST\nstandards and guidance, was consistent with FISMA, and demonstrated effectiveness. However, KPMG\nalso determined that certain internal controls in the phases Categorizing Information Systems,\nImplementing Security Controls, Assessing Security Controls, Authorizing Information Systems, and\nMonitoring Security Controls needed improvement. Importantly, the FDIC needed to improve its\n\n\n\n                          To view the full report, go to www.fdicig.gov/2010reports.asp\n\x0c   Executive Summary\n                                     Independent Evaluation of the FDIC\xe2\x80\x99s\n                                     Information Security Program\xe2\x80\x942010\n                                                                                     Report No. AUD-11-001\n                                                                                            November 2010\n\nprocesses for categorizing information systems that input, store, process, or output information assigned a\nhigh-potential-impact level by the FDIC; addressing common security controls that are relied upon by\nmultiple systems; ensuring the timeliness and support for system authorization decisions; and\ncontinuously monitoring security controls.\n\nKPMG also evaluated whether the FDIC had completed corrective actions in response to the security\ndeficiencies identified during the 2009 FISMA performance audit. KPMG concluded that while the FDIC\nhad completed corrective action on 12 of 18 prior-year issues, 6 prior-year issues required additional\naction. Of particular note, the FDIC had not implemented an enterprise-wide approach for reviewing\naudit logs of the FDIC\xe2\x80\x99s inventory of information systems. A similar deficiency was also reported during\nthe previous two annual FISMA audits.\n\n\nRecommendations and Management Comments\nThe FDIC can strengthen its information security program by implementing KPMG\xe2\x80\x99s 12\nrecommendations that address internal control deficiencies identified in the 5 risk management phases.\nOn November 5, 2010, the Chief Information Officer (CIO) and Director, Division of Information\nTechnology, provided a written response to a draft of this report. The CIO generally agreed with\nKPMG\xe2\x80\x99s recommendations or provided alternative actions that meet the intent of the recommendations.\nTherefore, all of the recommendations are resolved but remain open until corrective actions are completed\nand determined to be responsive. In response to the recommendations, the CIO stated that planned\nactions include issuing guidance on processes for categorizing information and systems, implementing an\napproach for addressing common security control requirements, and completing and implementing a\ntactical plan for the FDIC\xe2\x80\x99s continuous monitoring of security requirements.\n\n\n\n\n                                 To view the full report, go to www.fdicig.gov\n\x0c'